Bug 1256449 - CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
Status: CLOSED DUPLICATE of bug 1287711
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150821,repor...
: Security
Depends On: 1256452 1256453 1256454
Blocks: 1250945
  Show dependency treegraph
 
Reported: 2015-08-24 11:22 EDT by Adam Mariš
Modified: 2016-02-22 16:28 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-22 16:28:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-24 11:22:51 EDT
Another heap overflow in PCRE (similar to 1250943) was found.
Taken from https://bugs.exim.org/show_bug.cgi?id=1672 :

"""
Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/

A dry run of this particular regular expression with pcretest will reports "double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as https://bugs.exim.org/show_bug.cgi?id=1667 discussed.

Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second compile_regexp():
==============================================================
(gdb) x/256b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x00    0x00    0x00    0x00
0x1f8a8f8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a900:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a908:      0xc0    0x91    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a910:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a918:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a920:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a928:      0x80    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a930:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a938:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a940:      0x90    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a948:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a950:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a958:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a960:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a968:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a970:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a978:      0xa0    0x76    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a980:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a988:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a990:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00]
0x1f8a998:      0x41    0x01    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================

After the second compile_regexp:

==============================================================
(gdb) x/192b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x83    0x00    0xa6    0x83
0x1f8a8f8:      0x00    0xa0    0x83    0x00    0x8d    0x81    0x00    0x87
0x1f8a900:      0x85    0x00    0x81    0x00    0x01    0x1d    0x3a    0x83
0x1f8a908:      0x00    0x56    0x85    0x00    0x05    0x00    0x02    0x78
0x1f8a910:      0x00    0x05    0x81    0x00    0x48    0x85    0x00    0x42
0x1f8a918:      0x00    0x03    0x18    0x83    0x00    0x1e    0x85    0x00
0x1f8a920:      0x05    0x00    0x04    0x78    0x00    0x05    0x81    0x00
0x1f8a928:      0x10    0x85    0x00    0x0a    0x00    0x05    0x73    0x00
0x1f8a930:      0x00    0x00    0x05    0x78    0x00    0x0a    0x78    0x00
0x1f8a938:      0x10    0x77    0x00    0x13    0x85    0x00    0x0d    0x00
0x1f8a940:      0x04    0x85    0x00    0x05    0x00    0x05    0x78    0x00
0x1f8a948:      0x05    0x78    0x00    0x0d    0x78    0x00    0x31    0x1d
0x1f8a950:      0x6b    0x1d    0x27    0x1d    0x52    0x1d    0x27    0x78
0x1f8a958:      0x00    0x42    0x78    0x00    0x48    0x77    0x00    0x13
0x1f8a960:      0x85    0x00    0x0d    0x00    0x02    0x85    0x00    0x05
0x1f8a968:      0x00    0x03    0x78    0x00    0x05    0x78    0x00    0x0d
0x1f8a970:      0x78    0x00    0x69    0x1d    0x48    0x1d    0x27    0x1d
0x1f8a978:      0x41    0x1d    0x6b    0x1d    0x27    0x1d    0x52    0x1d
0x1f8a980:      0x66    0x78    0x00    0x81    0x78    0x00    0x87    0x77
0x1f8a988:      0x00    0x0d    0x1d    0x73    0x85    0x00    0x05    0x00
0x1f8a990:      0x01    0x78    0x00    0x05    0x78    0x00    0x9a    0x78]
0x1f8a998:      0x00    0xa0    0x78    0x00    0xa6    0x00    0x00    0x00
==============================================================
At least 5 more bytes are written to the heap.
"""

CVE request:

http://www.openwall.com/lists/oss-security/2015/08/24/1

Upstream patch:

http://vcs.pcre.org/pcre?view=revision&revision=1594
Comment 1 Adam Mariš 2015-08-24 11:25:29 EDT
Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1256452]
Comment 2 Adam Mariš 2015-08-24 11:25:31 EDT
Created mingw-pcre tracking bugs for this issue:

Affects: fedora-all [bug 1256453]
Affects: epel-7 [bug 1256454]
Comment 3 Stefan Cornelius 2015-08-24 11:54:40 EDT
Statement:

(none)
Comment 4 Fedora Update System 2015-08-25 09:18:43 EDT
pcre-8.37-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229
Comment 5 Fedora Update System 2015-08-25 09:25:43 EDT
pcre-8.37-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235
Comment 6 Fedora Update System 2015-08-25 09:41:36 EDT
pcre-8.35-14.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242
Comment 7 Fedora Update System 2015-08-26 00:25:12 EDT
pcre-8.37-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229
Comment 8 Fedora Update System 2015-08-26 13:24:43 EDT
pcre-8.35-14.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242
Comment 9 Fedora Update System 2015-08-26 13:27:19 EDT
pcre-8.37-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235
Comment 10 Fedora Update System 2015-08-27 13:56:56 EDT
pcre-8.37-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-09-11 13:22:52 EDT
pcre-8.37-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-09-11 14:48:44 EDT
pcre-8.35-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Tomas Hoger 2016-02-22 16:28:36 EST

*** This bug has been marked as a duplicate of bug 1287711 ***

Note You need to log in before you can comment on or make changes to this bug.